Protecting Your Data.
Introduction.
All organizations that process personal data must comply with relevant U.S. privacy laws, such as the Federal Trade Commission (FTC) Act and other federal regulations. These laws grant individuals certain rights over their personal data while imposing specific obligations on organizations that handle this data.
As a recruitment business, Scrumteck collects and processes both personal and sensitive data. We do so to comply with applicable laws and maintain this data for varying periods based on its nature.
This policy outlines how Scrumteck implements U.S. privacy laws and should be read alongside our Data Protection Procedure.
Definitions.
In this policy, the following terms have the following meanings:
- ‘Consent’ means a freely given, specific, informed, and unambiguous indication of an individual’s wishes, signified by a clear affirmative action, agreeing to the processing of their personal data.
- ‘Data Controller’ refers to an individual or organization that determines the purposes and means of processing personal data.
- ‘Data Processor’ means an individual or organization that processes personal data on behalf of the Data Controller.
- ‘Personal Data’ means any information relating to an identifiable individual, such as a name, identification number, location data, online identifier, or specific characteristics like physical, physiological, genetic, mental, economic, cultural, or social identity.
- ‘Personal Data Breach’ means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
- ‘Processing’ includes any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
- ‘Profiling’ refers to any automated processing of personal data to evaluate certain personal aspects, particularly to analyze or predict aspects concerning an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- ‘Pseudonymization’ means processing personal data so that it can no longer be attributed to a specific individual without additional information, provided that the additional information is kept separately and secured.
- ‘Sensitive Personal Data’ includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning an individual’s sex life or sexual orientation, and criminal convictions.
Note: For this policy, ‘Personal Data’ includes ‘Sensitive Personal Data’ except where specifically differentiated.
- ‘Supervisory Authority’ in the U.S. context would generally refer to relevant federal agencies such as the Federal Trade Commission (FTC), which is responsible for enforcing data protection regulations.
All these definitions are italicized throughout this policy to remind the reader that they are defined terms.
Data processing under the Data Protection Laws.
Scrumteck processes personal data related to its staff, job seekers, and individual client contacts, acting as a data controller under U.S. privacy laws. Scrumteck is responsible for the following purposes:
- Staff administration
- Advertising, marketing, and public relations
- Accounts and records management
- Administration and processing of job seekers’ personal data for providing work-finding services, including using software solutions and back-office support
- Administration and processing of clients’ personal data for the purpose of supplying or introducing job seekers
The data protection principles.
U.S. privacy laws require Scrumteck, acting as either a data controller or data processor, to process personal data in accordance with key principles. These principles ensure that personal data is:
- Processed lawfully, fairly, and transparently.
- Collected for specified, legitimate purposes and not further processed in incompatible ways.
- Adequate, relevant, and limited to what is necessary.
- Accurate and kept up to date, with inaccuracies promptly corrected.
- Retained only as long as necessary for its intended purpose.
- Secured against unauthorized access, loss, or damage using appropriate technical and organizational measures.
Scrumteck is responsible for and must demonstrate compliance with these principles.
Legal bases for processing.
Scrumteck will only process personal data where it has a legal basis for doing so. Where the Company does not have a legal reason for processing personal data any processing will be a breach of the Data Protection Laws. The Company will review the personal data it holds on a regular basis to ensure it is being lawfully processed and it is accurate, relevant and up to date and those people listed in the Appendix shall be responsible for doing this. Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as umbrella companies, persons making an enquiry or complaint and any other third party (such as software solutions providers and back office support)), the Company will establish that it has a legal reason for making the transfer.
Privacy by design and by default.
Scrumteck has implemented comprehensive measures and procedures to safeguard individuals’ privacy and ensure that data protection is integrated into all processing activities. These measures include:
- Data Minimization: Limiting the retention of data to only what is necessary for the intended purpose.
- Pseudonymization: Using pseudonyms to protect individuals’ identities.
- Anonymization: Removing personal identifiers from data to ensure anonymity.
- Cyber Security: Implementing robust cybersecurity practices to protect data from unauthorized access and breaches.
For more details, please refer to Scrumteck’s Information Security Policy.
Scrumteck is committed to providing information related to data processing in a clear, transparent, and accessible manner. This information will be presented in a concise, intelligible format, using plain language. It will be provided in writing or electronically, as appropriate. If requested by an individual, Scrumteck may also provide this information orally.
Rights of the Individual.
Privacy notices
When Scrumteck collects personal data directly from an individual, we will provide a privacy notice at the time of collection.
If Scrumteck collects personal data from sources other than the individual directly, we will issue a privacy notice within a reasonable period after obtaining the data, but no later than one month. If we plan to disclose the personal data to a third party, the privacy notice will be provided at the time of disclosure, unless it has been provided earlier.
Should Scrumteck intend to process personal data for a purpose other than the one for which it was originally collected, we will inform the individual of this new purpose and provide any relevant information before proceeding with the further processing.
Subject access requests
Rectification
Individuals, or another data controller acting on their behalf, have the right to request that Scrumteck correct any inaccurate or incomplete personal data concerning them.
If Scrumteck has shared the personal data with any third parties, we will notify those third parties of the request for rectification, unless doing so is impossible or involves disproportionate effort. While we will inform the third parties of the need for rectification, Scrumteck cannot audit those third parties to verify that the correction has been made.
Erasure
Individuals, or another data controller acting on their behalf, have the right to request that Scrumteck erase their personal data.
When Scrumteck receives a request for erasure, we will ask the individual if they wish for their data to be completely removed or if they prefer to be included on a list of individuals who do not wish to be contacted in the future (for a specified period or otherwise). Please note that Scrumteck cannot maintain a record of individuals whose data has been erased, so the individual may be contacted again if their personal data is obtained by Scrumteck in the future.
If Scrumteck has made the data public, we will take reasonable steps to inform other data controllers and data processors handling the personal data to erase it, considering the available technology and implementation costs.
If Scrumteck has shared personal data with third parties, we will notify those third parties of the request to erase the data, unless it is impossible or involves disproportionate effort. While we will inform third parties of the need for erasure, Scrumteck cannot audit them to ensure the erasure has been completed.
Data portability
Individuals have the right to receive personal data concerning them, which they have provided to Scrumteck, in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another data controller under the following conditions:
- The processing is based on the individual’s consent or a contract.
- The processing is carried out by automated means.
Where feasible, Scrumteck will send the personal data directly to a specified third party at the individual’s request.
Object to processing
Individuals have the right to object to the processing of their personal data based on public interest or legitimate interest grounds. This right also applies to objections against the profiling of their data on similar grounds.
Scrumteck will cease processing the personal data upon receiving an objection unless we have compelling legitimate grounds to continue processing that override the individual’s interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
Additionally, individuals have the right to object to the processing of their personal data for direct marketing purposes. For more information, please refer to Scrumteck’s Marketing Policy.
Enforcement of rights
All requests regarding individual rights should be directed to the contact person listed in the Appendix.
Scrumteck will respond to any subject access request, or requests related to rectification, erasure, restriction, data portability, objection, or automated decision-making processes, including profiling, within one month of receiving the request. If necessary, this period may be extended by up to two additional months, depending on the complexity and volume of the requests.
If Scrumteck deems a request to be manifestly unfounded or excessive due to its repetitive nature, we may either refuse to act on the request or charge a reasonable fee to cover the administrative costs involved.
Automated decision making
Scrumteck will not subject individuals to decisions based solely on automated processing that produces a legal effect or a similarly significant effect, except in the following circumstances:
- The automated decision is necessary for entering into or performing a contract between Scrumteck and the individual.
- The automated decision is authorized by law.
- The individual has provided explicit consent.
Additionally, Scrumteck will not engage in automated decision-making or profiling using the personal data of children.
Reporting personal data breaches.
Personal data breaches where the Company is the data controller:
When Scrumteck is the data controller and identifies a personal data breach, we will take appropriate steps to contain and recover from the breach. If the breach is likely to result in a risk to the rights and freedoms of any individual, Scrumteck will notify the relevant data protection authority, such as the U.S. Department of Health and Human Services (HHS) for HIPAA-related breaches or other applicable state regulatory agencies.
If the personal data breach occurs outside the US, Scrumteck will alert the appropriate supervisory authority in the affected jurisdiction.
Personal data breaches where the Company is the data processor:
Communicating personal data breaches to individuals
If Scrumteck identifies a personal data breach that poses a high risk to the rights and freedoms of any individual, we will notify all affected individuals without undue delay.
Scrumteck is not required to notify individuals of the breach if:
- We have implemented appropriate technical and organizational measures to protect the affected personal data, such as encryption, which makes the data unintelligible to unauthorized persons.
- We have taken subsequent measures that ensure the high risk to individuals’ rights and freedoms is no longer likely to materialize.
- It would involve disproportionate effort to notify all affected individuals. In such cases, Scrumteck will make a public communication or similar measure to inform all affected individuals.
Rights Under US Law.
Scrumteck is committed to respecting the following rights in the handling of personal data, in alignment with US legal standards:
Right to Respect for Private and Family Life: This right is analogous to the Fourth Amendment of the US Constitution, which protects individuals against unreasonable searches and seizures, ensuring privacy in their personal and home affairs.
Freedom of Thought, Belief, and Religion: This right corresponds to the First Amendment of the US Constitution, which guarantees the freedom of religion, speech, and expression.
Freedom of Expression: This right is protected under the First Amendment of the US Constitution, which safeguards the freedom of speech and expression.
Freedom of Assembly and Association: This right aligns with the First Amendment of the US Constitution, which protects the rights to peacefully assemble and associate with others.
Protection from Discrimination: This right is covered by the Equal Protection Clause of the Fourteenth Amendment to the US Constitution, which prohibits discrimination and ensures equal protection under the law.
Scrumteck applies these principles to uphold the highest standards of human rights and privacy protection in compliance with US laws.
Complaints.
If you have a complaint or suggestion regarding Scrumteck’s handling of personal data, please contact the person listed in the Appendix of this policy.
Alternatively, you can reach out to the appropriate US regulatory bodies:
- For privacy and data protection concerns, you may contact the Federal Trade Commission (FTC) at 1-877-FTC-HELP (1-877-382-4357) or visit FTC’s Complaint Assistant.
- For issues related to health data, you can contact the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) at 1-800-368-1019 or visit HHS OCR.
Responsibilities:
- Adding, Amending, or Deleting Personal Data: [Name of responsible person]
- Responding to Subject Access Requests/Requests for Rectification, Erasure, Restriction, Data Portability, Objection, and Automated Decision-Making Processes: [Name of responsible person]
- Reporting Data Breaches/Dealing with Complaints: Abdul Yusuf – Director
For any other concerns or additional information, please contact the person whose details are listed in the Appendix to this policy.
The lawfulness of processing conditions for sensitive personal data are:
Scrumteck processes personal data based on the following legal grounds, aligned with US data protection standards:
Explicit Consent: Processing is carried out with the explicit consent of the individual for one or more specified purposes, unless consent is restricted by federal or state laws.
Employment and Social Protection Obligations: Processing is necessary for fulfilling obligations under employment, social security, or social protection laws, or collective agreements, ensuring appropriate safeguards for the rights and interests of the individual.
Vital Interests: Processing is necessary to protect the vital interests of the individual or another person where the individual is physically or legally unable to give consent.
Legitimate Activities of Non-Profit Organizations: In the course of its legitimate activities, processing may be conducted with appropriate safeguards by a foundation, association, or other not-for-profit body with a political, philosophical, religious, or trade union aim, provided the processing relates only to members or former members and does not involve disclosure to third parties without consent.
Public Data: Processing relates to personal data that the individual has intentionally made public.
Legal Claims: Processing is necessary for the establishment, exercise, or defense of legal claims or when courts are acting in their judicial capacity.
Public Interest: Processing is necessary for reasons of substantial public interest, provided it is proportionate to the aim pursued and includes measures to safeguard the fundamental rights and interests of the individual.
Health and Medical Purposes: Processing is necessary for preventative or occupational medicine, medical diagnosis, health or social care, or the management of health or social care systems, based on relevant laws or contracts with health professionals and subject to necessary conditions and safeguards.
Public Health: Processing is necessary for public health reasons, such as protecting against serious cross-border health threats or ensuring high standards of healthcare and medicinal products, in accordance with relevant laws and safeguards.
Research and Statistics: Processing is necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes, ensuring it is proportionate, respects data protection rights, and includes suitable measures to safeguard individual rights.